Authenticate with your ISP using outgoing SMTP authentication

agileadmin Administration Leave a Comment

If you are running your Zimbra server in your office then it is recommended that your Zimbra server use the ISP for the office as a relay MTA. This tells Zimbra to relay all email direct to the ISP’s email server instead of attempting to deliver the email directly to the destination mail server.

The advantage of using the ISP as the email relay is that it is far less likely for your email to be marked as SPAM as anti-SPAM common checks like reverse IP address lookups, existence in SPAM databases and correct MX records will be OK. ISPs are also generally very quick to submit requests to remove their IP addresses from SPAM databases too, which saves you time.

Setting up a email relay in Zimbra is very straight forward, you can check / set the MTA relay server in the Zimbra Administration Web GUI as well.

What is harder to configure is authentication for the MTA relay. Where your ISP implements a rule to require authentication for all relayed email. In this case, you must ALSO configure Zimbra to automatically authenticate with the ISP to relay the email.

Follow the steps below to set up MTA relay with authentication. NOTE: The following steps require that you are logged into the Zimbra console as the Zimbra user.

  1. To check if you have a MTA relay set for your Zimbra server, login to the Zimbra console and issue this command: zmprov gs your.server.name zimbraMtaRelayHost. Where your.server.name is your Zimbra host name.
  2. If the MTA relay is not set, then you can easily set this using this command: zmprov ms your.server.name zimbraMtaRelayHost relay.server.name Where relay.server.name is your host name of the MTA relay server.

To configure authentication for the MTA relay, follow these steps (shell console, as the Zimbra user):

  1. Create a text file mapping the name/password (generally the ISP login/password) should be used for each MTA relay server.
  2. You can have MTA relay servers in this file, just add one per line: echo relay.server.name username:password > /opt/zimbra/conf/relay_password
  3. Create a postfix lookup table: postmap hash:/opt/zimbra/conf/relay_password
  4. To test that the lookup table is correct, the following should return username:password: postmap -q relay.server.name /opt/zimbra/conf/relay_password
  5. Configure postfix to use the new password map: postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
  6. Configure postfix to use SSL authentication: postconf -e smtp_sasl_auth_enable=yes Enable TLS: postconf -e smtp_use_tls=yes

By default, Zimbra is configured not to allow plain text authentication. However, we have found that most ISPs only accept plain text. So it is recommended to enable plain text authentication: postconf -e smtp_sasl_security_options=noanonymous

Configure postfix to use the outgoing server name rather than the canonical server name (what is returned from a DNS lookup). For example: If the MTA relay is set to smtp.gmail.com but the canonical server name is gmail-smtp.l.google.com then password lookup will fail as there is no entry for smtp.l.google.com.

To overcome this: postconf -e smtp_cname_overrides_servername=no Restart postfix: postfix reload Send an email and watch the Zimbra logs: less /var/log/zimbra.log If everything is correct then you should see email being relayed out through your ISPs mail server.

IMPORTANT: The configuration changes to the Postfix mail system will be reset to the default Zimbra Postfix configuration each time Zimbra is upgraded. So you will need to perform the SAME postconf commands after each Zimbra upgrade to retain the relay MTA authentication. Read more at wiki.zimbra.com/wiki/Outgoing_SMTP_Authentication